Behrouz Sadeghipour, 24, uses his computer to find hacker opportunities in his apartment in Sacramento on Dec. 15. Sadeghipour is an intern at Bugcrowd – an organization that employs hackers to find flaws in the computer programs of large firms like Google, Facebook and other websites. He is a “white hat,” a good guy trying to stop the “black hats” from stealing people’s data.
Randy Pench
rpench@sacbee.com

Behrouz Sadeghipour, 24, uses his computer to find hacker opportunities in his apartment in Sacramento on Dec. 15. Sadeghipour is an intern at Bugcrowd – an organization that employs hackers to find flaws in the computer programs of large firms like Google, Facebook and other websites. He is a “white hat,” a good guy trying to stop the “black hats” from stealing people’s data.
Randy Pench
rpench@sacbee.com

CSUS student hunts for computer bugs as a ‘white hat’

In the world of computer hackers, Behrouz (“Ben”) Sadeghipour, a 24-year-old junior at Sacramento State, is one of the good guys – a “white hat.”

Working from his midtown apartment, he spends at least 20 hours each week hunched over a computer looking for bugs that could unravel a computer system. His research keeps data safe from the “black hats,” hackers who are trying to break into computers and steal data from companies and individuals.

And for that work, he earns “bug bounties” – cash or prizes paid by companies that want to spot security flaws before bad guys can exploit them.

Sadeghipour juggles school with his work as a paid intern at Bugcrowd Inc., a San Francisco-based computer security company that acts as a marketplace for companies that want white hats to test their computer systems.

Currently, Sadeghipour says he has an 80 percent accuracy rate in finding security flaws in a company’s software. His reputation has led to speaking invitations at hacking conferences about being a white-hat bug bounty hunter.

The CSUS computer science major grew up in Orangevale and graduated from Bella Vista High School and attended Los Rios Community College before enrolling at Sacramento State. He recently spoke to The Bee about his white-hat work:

Q: How did you start working as a white hat?

A: I learned there are companies – like Google, Microsoft, Yahoo and PayPal – out there hiring hackers and giving them prizes to find weaknesses in their systems. They say, “We will give you a prize if you tell us how you did it and don’t steal our data.” Some go through third-party firms like Bugcrowd that post programs that need to be tested on their websites. Sites like Bugcrowd offer a page online that ranks bounty hunters by percentage of accuracy. Today I have an 80 percent accuracy rate.

Q: How did this turn into a job at BugCrowd?

A: In February, I started working as freelancer. I found a lot of bugs, and companies were impressed by that. I started talking to Jonathan Cran, the vice president of operations at Bugcrowd, on Twitter. Then I met Cran and other top executives at two white-hat conferences in Las Vegas. In July they offered me an internship and I started in September. When I graduate, I would like to work at Bugcrowd or at some other company, something in security.

Q: How much money did you make as a freelance hacker?

A: I made $20,000 from 20 to 30 reports (between February and September this year). I had over 100 reports, but some companies that work through Bugcrowd and other intermediary sites only give a T-shirt or free services. GitHub – a coding website – for example, gave me a few hundred dollars and a package with mugs, T-shirts and a subscription to their services for finding a flaw in their system.

Q: If white hats are only paid modestly, are they in it just for the sport?

A: Some are in it for the recognition. Bugcrowd, and other organizations like it, have a page dedicated to bounties. Some rank the bounty hunters on a leader board and others list each person’s percentage of success. You get your name out there and job offers. Some do it strictly for the money. White hats can make $70,000 to $80,000, along with the salary from their (regular) job.

Q: How did your interest in computers and hacking begin?

Related stories from The Sacramento Bee

A: When I was a little boy, my mom’s way of disciplining me was to not let me go on the computer when I wanted. She would put a password on the computer, and I would sit there until I cracked it. I started to read hacking articles online. I learned code and practiced by hacking my own code. I made money by helping anybody who needed something done on a computer.

Q: What made you decide to become a white-hat hacker?

A: When I was 18, I actually decided to stop working on computers. My family kept telling me hacking is illegal. I didn’t want to get in trouble. I stopped practicing hacking for three years until I heard about bug bounties. Then I found out that there are white hats and black hats. Black hats steal data. White hats choose to be researchers. It depends whether you want to make more money in the dirty way or make less money in the good way.

Q: Why should college students work as white hats?

A: It offers hands-on experience vs. the stuff you learn in school. School offers theory, and it is up to you to put it to work. Doing bug bounties has helped me cruise through my classes. I’m taking information security classes next semester and I’m looking at my syllabus and it seems too easy. I’ve learned more in the nine months I have been involved in bug bounties than all my previous years in school.

Q: How do you manage school and working as a white hat?

A: I work from home (for Bugcrowd) 20 hours a week. In the beginning I would drive to San Francisco each Friday. Now, if we can Skype, we do; if not, I go in.

Q: What your proudest accomplishment?

A: I was reading someone’s findings online and thought “I want to be this guy. I want to be in the top 10 on Yahoo.” In a couple of months, I made that happen. The second thing is the fact my family is proud of me. If you Google my name, you see a lot of articles about me. I’m getting a lot of recognition.